The Privacy community in Turkey is currently focusing on the fine imposed by the Turkish Data Protection Board ("TDPB"), against Amazon Turkey amounting to EUR 160,000. Although it is the 4th highest fine issued by the TDPB until to date, it is a landmark decision as it addresses international data transfers and electronic commercial communication. We are currently working on a detailed review.
Briefly, these are the highlights from the TDPB's decision:
- The TDPB has announced minimum requirements for commitments to be signed for transfer of personal data abroad. They were prepared taken into account standard contractual clauses issued by the European Commission under Directive 95/46/EC. But under Turkish law, signing these commitments is not sufficient. The controller must also seek the approval of the TDPB to duly transfer Turkish personal data abroad (to non-adequate countries) without acquiring consent. The Amazon Turkey Decision states that discussions for Amazon Turkey's filing for the approval of its commitment/s were ongoing but not approved by the TDPB, yet Amazon Turkey's data transfers abroad were made without duly acquiring an explicit consent from its users.
- Users were given the option to refuse transfer of their personal data to third parties upon a notification to be sent to them following a transfer to a third party. However, explicit consent must have been obtained latest at the moment of transfer; not afterwards.
- Amazon Turkey uses both strictly necessary and other cookies but informs the users that they cannot use some essential services if they reject the cookies. This makes the cookie consent a precondition for services.
The decision is landmark decision but at the same time raise some concerns:
- The Ministry of Commerce is authorized to supervise electronic commercial communications; however, it referred the electronic commercial communication complaint to the Board. Was that an applicable move or a wrong assessment of the said authority?
- The Data Protection Law ("Law") does not stipulate a specific administrative fine based on non-compliant transfer of personal data abroad. However, the Board's fine is based on violation of article 12 of the Law which primarily regulates data security obligation. The TDPB has been referring to paragraph 1 of the said article for violations of general principles set out in the Law as well as unlawful processing thereunder. Is this a correct approach or a misinterpretation of the law?
- The application for international transfers is not yet settled in Turkey. No adequacy decision has been given for a country or region, Binding Corporate Rules method has just been introduced and no standard contractual clauses were approved by the TDPB so far. Currently, substantial amount of businesses uses foreign cloud services or their headquarters or majority stockholders are abroad. This being the case, the biggest question is "How will they conduct their businesses without making the consent for transfer abroad a precondition for the use of their services?"
- There are no regulation or resolution addressing cookies in Turkey. Yet, can we say that an administrative fine for an opt-out cookie mechanism has legal grounds even if there are no specific regulation or resolution about it?
The Amazon Turkey Decision suggests that:
1. Controllers cannot rely on opt-out mechanisms.
Although there may be ambiguities on the powers of different authorities to decide on complaints regarding electronic commercial communications, the Amazon Turkey Decision correctly addresses the importance of adopting opt-in mechanisms and not relying on opt-out. This has been the established practice in Turkey for a long time and must be obeyed carefully by all controllers.
2. All consents must be explicit and informed.
Generic consents simply added to the privacy notices are not valid and lawful. Consents must be taken latest at the time of processing/transmission not later.
3. Controllers must revisit their cookie policies, re-design their website in a way to have pop-ups and obtain consent before processing personal data.
4. Controllers must rely on explicit consent for data transfers to foreign third parties or keep all personal data locally.
According to the TDPB, in relation to the data transfers to third parties residing abroad, controllers do not have any option but rely on explicit consent, given the circumstances (ie in the absence of list of adequate countries or an approval from the TDPB). The Amazon Turkey Decision suggests that if the controllers apply to the TDPB for the approval of their transfers to abroad by signing commitments, they must either rely on explicit consents of the data subjects for any transfers made or being made until that date (ie until their application date) or keep all data locally (ie not commence any transfers abroad without obtaining the approval TDPB).
As a final note, we would like to remind you that the TDPB only issued a summary of the Amazon Turkey Decision on its website. Thus, the foregoing is based on our review of that summary decision. We did not have the chance to see the TDPB's decision in its entirety. We hope that more guidance and clarification will follow in the upcoming days on the implications of this decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.